IndexedVerified
JavaScript/TypeScript Security
JavaScript, TypeScript, and Node.js SAST rules aggregated across verified providers.
Fetch pack
greprules pack fetch javascript-typescript-security --engine opengrepcurl https://api.greprules.io/api/packs/javascript-typescript-security.tar.gz -o javascript-typescript-security.tar.gzIncluded rules
CVE-2024-25624: Inadequate Html Escape In Attribute
cve-2024-25624-inadequate-html-escape-in-attributeCVE-2024-52011: Vite Launch Editor Cmd Injectioncve-2024-52011-vite-launch-editor-cmd-injectionCVE-2024-56331: Powershell Command Injection Via Templatecve-2024-56331-powershell-command-injection-via-templateCVE-2025-11149: Unhandled Fs Sync Exception Doscve-2025-11149-unhandled-fs-sync-exception-dosCVE-2025-11362: Infinite Redirect Recursioncve-2025-11362-infinite-redirect-recursionCVE-2025-13033: Nodemailer Quoted Address Bypasscve-2025-13033-nodemailer-quoted-address-bypassCVE-2025-14874: Nodemailer Unbounded Address Parsingcve-2025-14874-nodemailer-unbounded-address-parsingCVE-2025-22150: Insecure Multipart Boundary Math Randomcve-2025-22150-insecure-multipart-boundary-math-randomCVE-2025-23040: Typescript Memory Exhaustion Via Late Size Checkcve-2025-23040-typescript-memory-exhaustion-via-late-size-checkCVE-2025-3193: Incomplete Prototype Pollution Filtercve-2025-3193-incomplete-prototype-pollution-filterCVE-2025-53107: Git Mcp Server Command Injectioncve-2025-53107-git-mcp-server-command-injectionCVE-2025-53355: Exec Command Injectioncve-2025-53355-exec-command-injectionCVE-2025-53544: Local File Read Via File Uri Bypasscve-2025-53544-local-file-read-via-file-uri-bypassCVE-2025-56427: Global Brace Removal Corruptioncve-2025-56427-global-brace-removal-corruptionCVE-2025-58358: Child Process Exec Injectioncve-2025-58358-child-process-exec-injectionCVE-2025-58362: Fixed Url Scheme Offset Path Confusioncve-2025-58362-fixed-url-scheme-offset-path-confusionCVE-2025-59049: Mockoon Template Path Traversalcve-2025-59049-mockoon-template-path-traversalCVE-2025-61582: Ts3 Nodejs Library Untrusted Connectcve-2025-61582-ts3-nodejs-library-untrusted-connectCVE-2025-61602: Unvalidated Emoji Mart Data Accesscve-2025-61602-unvalidated-emoji-mart-data-accessCVE-2025-64530: Improper Subset Validation Somecve-2025-64530-improper-subset-validation-someCVE-2025-64756: Foreground Child Shell Truecve-2025-64756-foreground-child-shell-trueCVE-2025-66031: Uncontrolled Recursion Depth Limitcve-2025-66031-uncontrolled-recursion-depth-limitCVE-2026-0622: Insecure Jwt Secret Env Fallbackcve-2026-0622-insecure-jwt-secret-env-fallbackCVE-2026-21694: Trailing Spread Mass Assignmentcve-2026-21694-trailing-spread-mass-assignmentCVE-2026-2265: Dynamic Global Instantiation Or Invocationcve-2026-2265-dynamic-global-instantiation-or-invocationCVE-2026-22774: Dynamic Typedarray Unvalidated Allocationcve-2026-22774-dynamic-typedarray-unvalidated-allocationCVE-2026-22775: Src Parse Js Cwe 000 Cve 2026 22775cve-2026-22775-src-parse-js-cwe-000-cve-2026-22775CVE-2026-22803: Eager Buffer Allocation Doscve-2026-22803-eager-buffer-allocation-dosCVE-2026-23487: Incorrect Target Role Authorization Bypasscve-2026-23487-incorrect-target-role-authorization-bypassCVE-2026-24001: Jsdiff Dos Redos Mismatched Regexcve-2026-24001-jsdiff-dos-redos-mismatched-regexCVE-2026-25535: Unbounded Array Allocation From Dimensionscve-2026-25535-unbounded-array-allocation-from-dimensionsCVE-2026-25565: Undefined Http Method Picker Routecve-2026-25565-undefined-http-method-picker-routeCVE-2026-26029: Node Exec Dynamic Command Injectioncve-2026-26029-node-exec-dynamic-command-injectionCVE-2026-26278: Xmlparser Doctypereader Js Cwe 000 Cve 2026 26278cve-2026-26278-xmlparser-doctypereader-js-cwe-000-cve-2026-26278CVE-2026-27125: Ssr Unvalidated Dynamic Tag Injectioncve-2026-27125-ssr-unvalidated-dynamic-tag-injectionCVE-2026-27595: Parse Dashboard Unauthenticated Agent Endpointcve-2026-27595-parse-dashboard-unauthenticated-agent-endpointCVE-2026-27818: Domain Suffix Validation Bypasscve-2026-27818-domain-suffix-validation-bypassCVE-2026-29045: Unsafe Path Decodecve-2026-29045-unsafe-path-decodeCVE-2026-29779: Uptimeflare Workerconfig Leakcve-2026-29779-uptimeflare-workerconfig-leakCVE-2026-30952: Unvalidated Fallback Path Yieldcve-2026-30952-unvalidated-fallback-path-yieldCVE-2026-31241: Path Traversal Via Joincve-2026-31241-path-traversal-via-joinCVE-2026-3125: Ssrf Via Path Regex Extractioncve-2026-3125-ssrf-via-path-regex-extractionCVE-2026-32094: Shescape Missing Bracket Glob Escapecve-2026-32094-shescape-missing-bracket-glob-escapeCVE-2026-33750: Sequence Expansion Zero Step Doscve-2026-33750-sequence-expansion-zero-step-dosCVE-2026-34750: Improper Filename Sanitization Content Dispositioncve-2026-34750-improper-filename-sanitization-content-dispositionCVE-2026-39943: Directus Missing Oauth Transport Validationcve-2026-39943-directus-missing-oauth-transport-validationCVE-2026-40603: Chartbrew Cve 2026 40603 Dummycve-2026-40603-chartbrew-cve-2026-40603-dummyCVE-2026-41308: Knobs Controller Js Cwe 000 Cve 2026 41308cve-2026-41308-knobs-controller-js-cwe-000-cve-2026-41308CVE-2026-41691: Unsanitized Dict Interpolationcve-2026-41691-unsanitized-dict-interpolationCVE-2026-41885: Custom Regex Interpolation Unvalidatedcve-2026-41885-custom-regex-interpolation-unvalidatedCVE-2026-42073: Oauth Csrf State Bypass Via Errorcve-2026-42073-oauth-csrf-state-bypass-via-errorCVE-2026-42074: Raw Result Return Property Injectioncve-2026-42074-raw-result-return-property-injectionCVE-2026-42220: Websocket Index Ts Cwe 000 Cve 2026 42220cve-2026-42220-websocket-index-ts-cwe-000-cve-2026-42220CVE-2026-43889: Unbounded Zip Extractioncve-2026-43889-unbounded-zip-extractionCVE-2026-44456: Hono Jwt Missing Jwk Extractioncve-2026-44456-hono-jwt-missing-jwk-extractionCVE-2026-44645: Unvalidated Fallback Path Traversalcve-2026-44645-unvalidated-fallback-path-traversalCVE-2026-45149: Unbounded Loop Allocation Brace Expansioncve-2026-45149-unbounded-loop-allocation-brace-expansionCVE-2026-45582: Nested Array Filter Index Shift Logic Bugcve-2026-45582-nested-array-filter-index-shift-logic-bugCVE-2026-46551: Nocodb Arraysort Ast Sqlicve-2026-46551-nocodb-arraysort-ast-sqliCVE-2026-9673: Bypass Csv Injection Protectioncve-2026-9673-bypass-csv-injection-protectionCVE-2019-10742: Nodejs Stream Data Handler Reject Without Destroycve-2019-10742-nodejs-stream-data-handler-reject-without-destroyCVE-2021-3749: Redos Whitespace Replace Star Quantifiercve-2021-3749-redos-whitespace-replace-star-quantifierCVE-2021-4435: Child Process Unvalidated Wrappercve-2021-4435-child-process-unvalidated-wrapperCVE-2023-0163: Incomplete Prototype Pollution Blocklistcve-2023-0163-incomplete-prototype-pollution-blocklistCVE-2023-45857: Xsrf Token Disclosed Via Withcredentialscve-2023-45857-xsrf-token-disclosed-via-withcredentialsCVE-2024-21489: Custom Deep Merge Prototype Pollutioncve-2024-21489-custom-deep-merge-prototype-pollutionCVE-2024-21529: Implicit String Coercion Prototype Pollutioncve-2024-21529-implicit-string-coercion-prototype-pollutionCVE-2024-24558: React Unescaped Json In Dangerouslysetinnerhtmlcve-2024-24558-react-unescaped-json-in-dangerouslysetinnerhtmlCVE-2024-28195: Missing Samesite On Express Cookiecve-2024-28195-missing-samesite-on-express-cookieCVE-2024-29194: Overly Permissive Global Read Accesscve-2024-29194-overly-permissive-global-read-accessCVE-2024-29651: Custom Merge Prototype Pollutioncve-2024-29651-custom-merge-prototype-pollutionCVE-2024-3025: Nodejs Path Join Unnormalized Filename Traversalcve-2024-3025-nodejs-path-join-unnormalized-filename-traversalCVE-2024-30264: Next Router Query Xss Redirectcve-2024-30264-next-router-query-xss-redirectCVE-2024-3029: Payload Extraction Before State Checkcve-2024-3029-payload-extraction-before-state-checkCVE-2024-31206: Insecure Http Requestcve-2024-31206-insecure-http-requestCVE-2024-32866: Unchecked Prototype Pollution Loopcve-2024-32866-unchecked-prototype-pollution-loopCVE-2024-36109: Xss Sanitizer Script Whitelistcve-2024-36109-xss-sanitizer-script-whitelistCVE-2024-36120: Ast Dynamic Evaluationcve-2024-36120-ast-dynamic-evaluationCVE-2024-38999: Js Foreach Prop No Proto Blocklistcve-2024-38999-js-foreach-prop-no-proto-blocklistCVE-2024-39008: Javascript Prototype Pollution Recursive Deep Mergecve-2024-39008-javascript-prototype-pollution-recursive-deep-mergeCVE-2024-39943: Nodejs Child Process Exec Template Literal Injectioncve-2024-39943-nodejs-child-process-exec-template-literal-injectionCVE-2024-41662: Markdown It Missing Html Block Sanitizationcve-2024-41662-markdown-it-missing-html-block-sanitizationCVE-2024-43805: Sanitize Html Dom Clobberingcve-2024-43805-sanitize-html-dom-clobberingCVE-2024-53866: Deferred Json Stringify Of Mutable Object Paramcve-2024-53866-deferred-json-stringify-of-mutable-object-paramCVE-2024-56143: Strapi Missing Lookup Validationcve-2024-56143-strapi-missing-lookup-validationCVE-2024-56200: Koa Unauthenticated Proxy Middlewarecve-2024-56200-koa-unauthenticated-proxy-middlewareCVE-2024-57190: Express Trusted User Header Forwarded Without Stripping Incomingcve-2024-57190-express-trusted-user-header-forwarded-without-stripping-incomingCVE-2025-11202: Nodejs Child Process Exec Template Literal Injectioncve-2025-11202-nodejs-child-process-exec-template-literal-injectionCVE-2025-12489: Auth Js Cwe 000 Cve 2025 12489cve-2025-12489-auth-js-cwe-000-cve-2025-12489CVE-2025-12613: Cloudinary Api Sign Request Argument Injectioncve-2025-12613-cloudinary-api-sign-request-argument-injectionCVE-2025-12735: Expr Eval Cve 2025 12735 Unchecked Function Dispatchcve-2025-12735-expr-eval-cve-2025-12735-unchecked-function-dispatchCVE-2025-15061: Nodejs Exec Template Literal Command Injectioncve-2025-15061-nodejs-exec-template-literal-command-injectionCVE-2025-24896: Client Side Logout Missing Cookie Clearingcve-2025-24896-client-side-logout-missing-cookie-clearingCVE-2025-24900: Client Cookie Missing Samesitecve-2025-24900-client-cookie-missing-samesiteCVE-2025-25205: Express Url Regex Query Bypasscve-2025-25205-express-url-regex-query-bypassCVE-2025-25977: Js Prototype Pollution Bracket Fallback Then Writecve-2025-25977-js-prototype-pollution-bracket-fallback-then-writeCVE-2025-27152: Ssrf Url Builder Absolute Url Bypass Cve 2025 27152cve-2025-27152-ssrf-url-builder-absolute-url-bypass-cve-2025-27152CVE-2025-47269: Express Ssrf Unvalidated Portcve-2025-47269-express-ssrf-unvalidated-portCVE-2025-4759: Missing Trailing Slash In Url Startswithcve-2025-4759-missing-trailing-slash-in-url-startswithCVE-2025-49141: Haxcms Command Injection Git Set Remotecve-2025-49141-haxcms-command-injection-git-set-remoteCVE-2025-53369: Mediawiki Unsanitized Addsubtitlecve-2025-53369-mediawiki-unsanitized-addsubtitleCVE-2025-53624: Docusaurus Plugin Secret In Route Modulescve-2025-53624-docusaurus-plugin-secret-in-route-modulesCVE-2025-53967: Insecure Path Startswith Matchcve-2025-53967-insecure-path-startswith-matchCVE-2025-54063: Insecure Path Sanitization Forward Slashcve-2025-54063-insecure-path-sanitization-forward-slashCVE-2025-59046: Nodejs Child Process Exec Template Literal Injectioncve-2025-59046-nodejs-child-process-exec-template-literal-injectionCVE-2025-59304: Multer Original Name Path Traversalcve-2025-59304-multer-original-name-path-traversalCVE-2025-59430: Unvalidated Base64 Urlcve-2025-59430-unvalidated-base64-urlCVE-2025-59528: Function Constructor Eval Code Injectioncve-2025-59528-function-constructor-eval-code-injectionCVE-2025-59839: Mediawiki Dataset Json Parsecve-2025-59839-mediawiki-dataset-json-parseCVE-2025-61140: Jsonpath Prototype Pollution Cve 2025 61140cve-2025-61140-jsonpath-prototype-pollution-cve-2025-61140CVE-2025-62718: Proxy From Env No Proxy Hostname Bypass Ssrfcve-2025-62718-proxy-from-env-no-proxy-hostname-bypass-ssrfCVE-2025-64759: Next Response Unsanitized Dynamic Content Typecve-2025-64759-next-response-unsanitized-dynamic-content-typeCVE-2025-65108: Gray Matter Javascript Engine Not Disabledcve-2025-65108-gray-matter-javascript-engine-not-disabledCVE-2025-65966: Sensitive Model Public Mutationcve-2025-65966-sensitive-model-public-mutationCVE-2025-69971: Hardcoded Jwt Secretcve-2025-69971-hardcoded-jwt-secretCVE-2025-69981: Express File Upload Missing Auth Middlewarecve-2025-69981-express-file-upload-missing-auth-middlewareCVE-2025-69983: Nodejs Naive Path Traversal Sanitizationcve-2025-69983-nodejs-naive-path-traversal-sanitizationCVE-2025-70041: Webpack Dev Server Bound All Interfacescve-2025-70041-webpack-dev-server-bound-all-interfacesCVE-2025-8267: Incomplete Private Ip Cidr Blocklistcve-2025-8267-incomplete-private-ip-cidr-blocklistCVE-2026-1470: Ast Sandbox Missing With Statement Visitorcve-2026-1470-ast-sandbox-missing-with-statement-visitorCVE-2026-1774: Prototype Pollution Via Path Reducecve-2026-1774-prototype-pollution-via-path-reduceCVE-2026-21854: Js Auth Bracket Lookup Loose Equalitycve-2026-21854-js-auth-bracket-lookup-loose-equalityCVE-2026-22031: Findmyway Safedecodeuri Middleware Bypasscve-2026-22031-findmyway-safedecodeuri-middleware-bypassCVE-2026-22037: Raw Url Assignment Without Decodingcve-2026-22037-raw-url-assignment-without-decodingCVE-2026-22686: Host Realm Error Sandbox Prototype Chain Escapecve-2026-22686-host-realm-error-sandbox-prototype-chain-escapeCVE-2026-23744: Hono Node Server Bound To All Interfacescve-2026-23744-hono-node-server-bound-to-all-interfacesCVE-2026-23830: Sandbox Incomplete Constructor Interception Missing Asyncfunctioncve-2026-23830-sandbox-incomplete-constructor-interception-missing-asyncfunctionCVE-2026-23869: React Unbounded Dev Error Tracecve-2026-23869-react-unbounded-dev-error-traceCVE-2026-23870: React Native Sparse Array Doscve-2026-23870-react-native-sparse-array-dosCVE-2026-24737: Jspdf Unescaped Pdf Injectioncve-2026-24737-jspdf-unescaped-pdf-injectionCVE-2026-24741: Unvalidated File Deletioncve-2026-24741-unvalidated-file-deletionCVE-2026-24781: Vm2 Proxy Handler Missing Construction Tokencve-2026-24781-vm2-proxy-handler-missing-construction-tokenCVE-2026-24884: Tar Extraction Path Traversalcve-2026-24884-tar-extraction-path-traversalCVE-2026-24901: Unsafe Zip Decompression Readcve-2026-24901-unsafe-zip-decompression-readCVE-2026-25221: Oauth Missing State Parameter Validationcve-2026-25221-oauth-missing-state-parameter-validationCVE-2026-25520: Sandboxjs Unwrapped Native Call Return Valuecve-2026-25520-sandboxjs-unwrapped-native-call-return-valueCVE-2026-25586: Unsafe Hasownproperty Shadowingcve-2026-25586-unsafe-hasownproperty-shadowingCVE-2026-25587: Prototype Guard Unsafe Hasownproperty Instance Methodcve-2026-25587-prototype-guard-unsafe-hasownproperty-instance-methodCVE-2026-25639: Javascript Recursive Merge Prototype Pollutioncve-2026-25639-javascript-recursive-merge-prototype-pollutionCVE-2026-25641: Property Key Type Confusion Toctoucve-2026-25641-property-key-type-confusion-toctouCVE-2026-25755: Pdf Js Injectioncve-2026-25755-pdf-js-injectionCVE-2026-2577: Websocketserver Missing Localhost Bindingcve-2026-2577-websocketserver-missing-localhost-bindingCVE-2026-25803: Bcrypt Hash With Hardcoded Password Literalcve-2026-25803-bcrypt-hash-with-hardcoded-password-literalCVE-2026-25893: Jwt Sign Identity From Request Headercve-2026-25893-jwt-sign-identity-from-request-headerCVE-2026-25938: Express Auth Bypass Via Referer Headercve-2026-25938-express-auth-bypass-via-referer-headerCVE-2026-25940: Jspdf Acroform Pdf Injectioncve-2026-25940-jspdf-acroform-pdf-injectionCVE-2026-26021: Prototype Pollution Via Includes Guardcve-2026-26021-prototype-pollution-via-includes-guardCVE-2026-26280: Stale Variable In Retrycve-2026-26280-stale-variable-in-retryCVE-2026-26830: Nodejs Child Process Exec Util Format Command Injectioncve-2026-26830-nodejs-child-process-exec-util-format-command-injectionCVE-2026-26831: Textract Cve 2026 26831 Shell Injection Incomplete Path Escapecve-2026-26831-textract-cve-2026-26831-shell-injection-incomplete-path-escapeCVE-2026-26833: Nodejs Child Process Exec String Concatcve-2026-26833-nodejs-child-process-exec-string-concatCVE-2026-26861: Insecure Postmessage Origin Validationcve-2026-26861-insecure-postmessage-origin-validationCVE-2026-26862: Insecure Postmessage Includes Origin Checkcve-2026-26862-insecure-postmessage-includes-origin-checkCVE-2026-26954: Sandboxjs Call Result Missing Sanitize Arraycve-2026-26954-sandboxjs-call-result-missing-sanitize-arrayCVE-2026-26974: Fast Glob Unanchored Recursive Glob Rcecve-2026-26974-fast-glob-unanchored-recursive-glob-rceCVE-2026-27192: Insecure Origin Validation Startswithcve-2026-27192-insecure-origin-validation-startswithCVE-2026-27203: Insecure Env File Updatecve-2026-27203-insecure-env-file-updateCVE-2026-27627: Unsanitized Metascraper Htmlcve-2026-27627-unsanitized-metascraper-htmlCVE-2026-27700: X Forwarded For Spoofingcve-2026-27700-x-forwarded-for-spoofingCVE-2026-27886: Nodemailer Pick Strips Security Propertiescve-2026-27886-nodemailer-pick-strips-security-propertiesCVE-2026-27960: Opencti Authenticate User By Token Or Userid Cve 2026 27960cve-2026-27960-opencti-authenticate-user-by-token-or-userid-cve-2026-27960CVE-2026-27971: Js Require Dynamic Module And Symbol From Inputcve-2026-27971-js-require-dynamic-module-and-symbol-from-inputCVE-2026-28291: Git Upload Pack Blocklist Bypasscve-2026-28291-git-upload-pack-blocklist-bypassCVE-2026-28445: Solidjs Unsanitized Innerhtmlcve-2026-28445-solidjs-unsanitized-innerhtmlCVE-2026-28678: Jwt Cleartext Cookie Storagecve-2026-28678-jwt-cleartext-cookie-storageCVE-2026-29063: Immutable Js Iterate Unguarded Key Assignment Prototype Pollutioncve-2026-29063-immutable-js-iterate-unguarded-key-assignment-prototype-pollutionCVE-2026-29112: Unbounded Regex Dimension Extractioncve-2026-29112-unbounded-regex-dimension-extractionCVE-2026-29792: Feathersjs Oauth Authenticate Params Query Fallbackcve-2026-29792-feathersjs-oauth-authenticate-params-query-fallbackCVE-2026-29793: Feathersjs Mongodb Id Nosql Injectioncve-2026-29793-feathersjs-mongodb-id-nosql-injectionCVE-2026-30822: Insecure Filename Replace Path Traversalcve-2026-30822-insecure-filename-replace-path-traversalCVE-2026-30966: Parse Server Missing Join Table Access Guardcve-2026-30966-parse-server-missing-join-table-access-guardCVE-2026-31840: Parse Logical Op Array Like Bypasscve-2026-31840-parse-logical-op-array-like-bypassCVE-2026-31856: Postgres Jsonb Increment Sql Injection Via Template Literalcve-2026-31856-postgres-jsonb-increment-sql-injection-via-template-literalCVE-2026-31871: Parse Server Postgres Increment Jsonb Sql Injectioncve-2026-31871-parse-server-postgres-increment-jsonb-sql-injectionCVE-2026-31898: Jspdf Freetext Annotation Injectioncve-2026-31898-jspdf-freetext-annotation-injectionCVE-2026-31975: Shell Command Injection Via Cd Template Literalcve-2026-31975-shell-command-injection-via-cd-template-literalCVE-2026-32038: Docker Network Container Namespace Join Allowed By Defaultcve-2026-32038-docker-network-container-namespace-join-allowed-by-defaultCVE-2026-32248: Parse Logical Op Arraylike Bypasscve-2026-32248-parse-logical-op-arraylike-bypassCVE-2026-32260: Insecure Shell Arg Concat Or Flawed Regexcve-2026-32260-insecure-shell-arg-concat-or-flawed-regexCVE-2026-32304: Js Function Constructor Non Literal Bodycve-2026-32304-js-function-constructor-non-literal-bodyCVE-2026-32621: Js Prototype Pollution Dynamic Key Mergecve-2026-32621-js-prototype-pollution-dynamic-key-mergeCVE-2026-32701: Qwik City Formdata Array Pollutioncve-2026-32701-qwik-city-formdata-array-pollutionCVE-2026-32729: Promisified Child Process Execcve-2026-32729-promisified-child-process-execCVE-2026-32730: Ast Node Falsy Bypass To Xsscve-2026-32730-ast-node-falsy-bypass-to-xssCVE-2026-32763: Ast Visitor Unsanitized Query Appendcve-2026-32763-ast-visitor-unsanitized-query-appendCVE-2026-33028: Vueuse Websocket Reactive Credentialscve-2026-33028-vueuse-websocket-reactive-credentialsCVE-2026-33146: Share Search Unrestricted Page Descendantscve-2026-33146-share-search-unrestricted-page-descendantsCVE-2026-33151: Unbounded Attachments Doscve-2026-33151-unbounded-attachments-dosCVE-2026-33193: Cve 2026 33193 Multipart Mime Type Spoofing Stored Xsscve-2026-33193-cve-2026-33193-multipart-mime-type-spoofing-stored-xssCVE-2026-33228: Array Index Via String Wrapper Prototype Pollutioncve-2026-33228-array-index-via-string-wrapper-prototype-pollutionCVE-2026-33640: Otp Verify Without Attempt Limitcve-2026-33640-otp-verify-without-attempt-limitCVE-2026-33804: Fastify Middie Normalization Options Missing Config Fallbackcve-2026-33804-fastify-middie-normalization-options-missing-config-fallbackCVE-2026-33877: Password Reset Timing Side Channel User Enumerationcve-2026-33877-password-reset-timing-side-channel-user-enumerationCVE-2026-33890: Ts Admin Auth Gated On Loginrequired Config Flagcve-2026-33890-ts-admin-auth-gated-on-loginrequired-config-flagCVE-2026-33891: Fallback Jsbn Modinverse Missing Zero Checkcve-2026-33891-fallback-jsbn-modinverse-missing-zero-checkCVE-2026-33937: Handlebars Compile Untrusted Ast Inputcve-2026-33937-handlebars-compile-untrusted-ast-inputCVE-2026-33938: Unvalidated Ast Passthroughcve-2026-33938-unvalidated-ast-passthroughCVE-2026-33940: Insecure Ast Node Returncve-2026-33940-insecure-ast-node-returnCVE-2026-33979: Sanitizer Config Ignored Empty Arraycve-2026-33979-sanitizer-config-ignored-empty-arrayCVE-2026-33994: Js Prototype Pollution Regex Test Guardcve-2026-33994-js-prototype-pollution-regex-test-guardCVE-2026-34209: Payment Channel Insecure Voucher Comparisoncve-2026-34209-payment-channel-insecure-voucher-comparisonCVE-2026-34212: Authorization Check And Of Not Equal Throwscve-2026-34212-authorization-check-and-of-not-equal-throwsCVE-2026-34213: Authorization Guard And Not Equals Bypasscve-2026-34213-authorization-guard-and-not-equals-bypassCVE-2026-34226: Leaky Cookie Origin In Fetchcve-2026-34226-leaky-cookie-origin-in-fetchCVE-2026-34404: Nuxt Og Image Html Ssrfcve-2026-34404-nuxt-og-image-html-ssrfCVE-2026-34840: Saml Assertion Wrapping Missing Length Checkcve-2026-34840-saml-assertion-wrapping-missing-length-checkCVE-2026-35209: Object Assign Prototype Hijackcve-2026-35209-object-assign-prototype-hijackCVE-2026-35213: Redos In Regex Endingscve-2026-35213-redos-in-regex-endingsCVE-2026-35394: Improper Error Class In Url Validationcve-2026-35394-improper-error-class-in-url-validationCVE-2026-35409: Directus Missing Oauth Validationcve-2026-35409-directus-missing-oauth-validationCVE-2026-35442: Express Missing Oauth Scope Validationcve-2026-35442-express-missing-oauth-scope-validationCVE-2026-39363: Bypass Fs Check Via Hardcoded Envcve-2026-39363-bypass-fs-check-via-hardcoded-envCVE-2026-39408: Insecure Route Path Joincve-2026-39408-insecure-route-path-joinCVE-2026-39859: Conditional Path Containment Bypasscve-2026-39859-conditional-path-containment-bypassCVE-2026-39865: Array Splice Missing Unconditional Return In Backward While Loopcve-2026-39865-array-splice-missing-unconditional-return-in-backward-while-loopCVE-2026-39974: Array Filter Index Shift Logic Bugcve-2026-39974-array-filter-index-shift-logic-bugCVE-2026-40073: Unvalidated Content Length Limit Bypasscve-2026-40073-unvalidated-content-length-limit-bypassCVE-2026-40322: Mermaid Svg Innerhtml Xss Without Dompurifycve-2026-40322-mermaid-svg-innerhtml-xss-without-dompurifyCVE-2026-40351: Typescript Nosql Injection Via Type Assertion On Request Bodycve-2026-40351-typescript-nosql-injection-via-type-assertion-on-request-bodyCVE-2026-41167: Js Node Postgres Template Literal Sql Injectioncve-2026-41167-js-node-postgres-template-literal-sql-injectionCVE-2026-41180: Path Startswith Directory Traversalcve-2026-41180-path-startswith-directory-traversalCVE-2026-41242: Protobufjs Type Constructor Unsanitized Name Code Injectioncve-2026-41242-protobufjs-type-constructor-unsanitized-name-code-injectionCVE-2026-41248: Clerk Create Route Matcher Affirmative Gate Bypasscve-2026-41248-clerk-create-route-matcher-affirmative-gate-bypassCVE-2026-41278: Path Traversal Unsafe Prefix Replacecve-2026-41278-path-traversal-unsafe-prefix-replaceCVE-2026-41297: Unvalidated Url Extraction Pipestreamcve-2026-41297-unvalidated-url-extraction-pipestreamCVE-2026-41311: Uncontrolled Block Render Recursioncve-2026-41311-uncontrolled-block-render-recursionCVE-2026-41455: Meteor Simpleschema Ssrf Missing Validationcve-2026-41455-meteor-simpleschema-ssrf-missing-validationCVE-2026-41500: Command Injection Exec Unsanitized Jsoncve-2026-41500-command-injection-exec-unsanitized-jsonCVE-2026-41693: Path Traversal Unvalidated Template Interpolationcve-2026-41693-path-traversal-unvalidated-template-interpolationCVE-2026-41893: Signalk Securitystrategy Login Without Rate Limitcve-2026-41893-signalk-securitystrategy-login-without-rate-limitCVE-2026-42089: Yeoman Missing Authorization Promptcve-2026-42089-yeoman-missing-authorization-promptCVE-2026-42193: Missing Aws Sns Signature Verificationcve-2026-42193-missing-aws-sns-signature-verificationCVE-2026-42345: Broken Json String Escaping Lookbehind Replacecve-2026-42345-broken-json-string-escaping-lookbehind-replaceCVE-2026-42449: Position Dependent Array Index Shiftcve-2026-42449-position-dependent-array-index-shiftCVE-2026-43566: Openclaw Heartbeat Wake Pending Events Omittedcve-2026-43566-openclaw-heartbeat-wake-pending-events-omittedCVE-2026-43886: Loop Item Path Traversal Heuristiccve-2026-43886-loop-item-path-traversal-heuristicCVE-2026-43898: Sandbox Missing Function Caller Restrictioncve-2026-43898-sandbox-missing-function-caller-restrictionCVE-2026-43940: Ai Schema Authtype Missing Profile Constraintcve-2026-43940-ai-schema-authtype-missing-profile-constraintCVE-2026-43944: Unsanitized Json Parse To Object Assigncve-2026-43944-unsanitized-json-parse-to-object-assignCVE-2026-43997: Fragile Function Constructor Name Guardcve-2026-43997-fragile-function-constructor-name-guardCVE-2026-44005: Cve 2026 44005 Proxy Write Trap Missing Intrinsic Prototype Guardcve-2026-44005-cve-2026-44005-proxy-write-trap-missing-intrinsic-prototype-guardCVE-2026-44008: Sandbox Bridge Array Index Assign Bypasses Reflect Definecve-2026-44008-sandbox-bridge-array-index-assign-bypasses-reflect-defineCVE-2026-44009: Sandbox Array Prototype Setter Leakcve-2026-44009-sandbox-array-prototype-setter-leakCVE-2026-44313: Ssrf Scheme Only Url Guard Before Server Fetchcve-2026-44313-ssrf-scheme-only-url-guard-before-server-fetchCVE-2026-44643: Js Unsafe Method Style Hasownpropertycve-2026-44643-js-unsafe-method-style-hasownpropertyCVE-2026-44974: Custom Parser Missing Duplicate Key Checkcve-2026-44974-custom-parser-missing-duplicate-key-checkCVE-2026-45325: Unquoted Dynamic Table Drop Or Showcve-2026-45325-unquoted-dynamic-table-drop-or-showCVE-2026-45357: Liquidjs Unvalidated Fs Fallbackcve-2026-45357-liquidjs-unvalidated-fs-fallbackCVE-2026-45617: Fallback Path Traversal Yieldcve-2026-45617-fallback-path-traversal-yieldCVE-2026-45618: Liquidjs Missing Root Containment Fallbackcve-2026-45618-liquidjs-missing-root-containment-fallbackCVE-2026-45707: N8n Workflow Connection Index Shiftcve-2026-45707-n8n-workflow-connection-index-shiftCVE-2026-45783: Kad Dht Eclipse Vulnerabilitycve-2026-45783-kad-dht-eclipse-vulnerabilityCVE-2026-46510: Prototype Pollution Via In Operatorcve-2026-46510-prototype-pollution-via-in-operatorCVE-2026-46679: Kad Dht Insufficient Initial Peerscve-2026-46679-kad-dht-insufficient-initial-peersCVE-2026-47092: Insecure Comspec Executioncve-2026-47092-insecure-comspec-executionCVE-2026-47131: Sandbox Apply Trap Indirection Bypasscve-2026-47131-sandbox-apply-trap-indirection-bypassCVE-2026-47135: Incomplete Symbol For Namespace Blockcve-2026-47135-incomplete-symbol-for-namespace-blockCVE-2026-47138: Js Redos Adjacent Greedy Quantifiers On User Inputcve-2026-47138-js-redos-adjacent-greedy-quantifiers-on-user-inputCVE-2026-47139: Bypass Node Internal Modules Filtercve-2026-47139-bypass-node-internal-modules-filterCVE-2026-47140: Node Module Denylist Bypasscve-2026-47140-node-module-denylist-bypassCVE-2026-47210: Vm2 Jspi Sandbox Escapecve-2026-47210-vm2-jspi-sandbox-escapeCVE-2026-47759: Unsanitized Dynamic Attribute Restorecve-2026-47759-unsanitized-dynamic-attribute-restoreCVE-2026-47762: Tinymce Unsafe Astnode Xsscve-2026-47762-tinymce-unsafe-astnode-xssCVE-2026-4800: Unvalidated Dynamic Code Evaluationcve-2026-4800-unvalidated-dynamic-code-evaluationCVE-2026-5752: Pyodide Jsglobals Prototype Chain Escapecve-2026-5752-pyodide-jsglobals-prototype-chain-escapeCVE-2026-6057: Nodejs Formdata File Name Path Traversalcve-2026-6057-nodejs-formdata-file-name-path-traversalCVE-2026-6270: Fastify Express Middleware Double Prefix Auth Bypasscve-2026-6270-fastify-express-middleware-double-prefix-auth-bypassCVE-2026-8656: Html Quoted Entity Interpolation Without Escapecve-2026-8656-html-quoted-entity-interpolation-without-escapeCVE-2026-8723: Qs Stringify Comma MaybeMap Unguarded Encodercve-2026-8723-qs-stringify-comma-maybemap-unguarded-encoderCVE-2026-8890: Next Middleware Unvalidated Header Bypasscve-2026-8890-next-middleware-unvalidated-header-bypassBuf Buffer Noassert Readgitlab-sast-javascript-buf-rule-buffer-noassert-readBuf Buffer Noassert Writegitlab-sast-javascript-buf-rule-buffer-noassert-writeBuf Detect New Buffergitlab-sast-javascript-buf-rule-detect-new-bufferDos Non Literal Regexpgitlab-sast-javascript-dos-rule-non-literal-regexpEval Eval With Expressiongitlab-sast-javascript-eval-rule-eval-with-expressionRandom Pseudo Random Bytesgitlab-sast-javascript-random-rule-pseudo-random-bytesReact Dangerouslysetinnerhtmlgitlab-sast-javascript-react-rule-dangerouslysetinnerhtmlRequire Non Literal Requiregitlab-sast-javascript-require-rule-non-literal-requireTiming Possible Timing Attacksgitlab-sast-javascript-timing-rule-possible-timing-attacksXss Mustache Escapegitlab-sast-javascript-xss-rule-mustache-escapeCrypto Node Aes Ecbgitlab-sast-rules-lgpl-javascript-crypto-rule-node-aes-ecbCrypto Node Aes Noivgitlab-sast-rules-lgpl-javascript-crypto-rule-node-aes-noivCrypto Node Md5gitlab-sast-rules-lgpl-javascript-crypto-rule-node-md5Crypto Node Sha1gitlab-sast-rules-lgpl-javascript-crypto-rule-node-sha1Crypto Node Timing Attackgitlab-sast-rules-lgpl-javascript-crypto-rule-node-timing-attackCrypto Node Tls Rejectgitlab-sast-rules-lgpl-javascript-crypto-rule-node-tls-rejectCrypto Node Weak Cryptogitlab-sast-rules-lgpl-javascript-crypto-rule-node-weak-cryptoDatabase Node Knex Sqli Injectiongitlab-sast-rules-lgpl-javascript-database-rule-node-knex-sqli-injectionDatabase Node Nosqli Js Injectiongitlab-sast-rules-lgpl-javascript-database-rule-node-nosqli-js-injectionDatabase Node Sqli Injectiongitlab-sast-rules-lgpl-javascript-database-rule-node-sqli-injectionDatabase Sequelize Tls Cert Validationgitlab-sast-rules-lgpl-javascript-database-rule-sequelize-tls-cert-validationDatabase Sequelize Tlsgitlab-sast-rules-lgpl-javascript-database-rule-sequelize-tlsDatabase Sequelize Weak Tlsgitlab-sast-rules-lgpl-javascript-database-rule-sequelize-weak-tlsDos Layer7 Object Dosgitlab-sast-rules-lgpl-javascript-dos-rule-layer7-object-dosDos Regex Dosgitlab-sast-rules-lgpl-javascript-dos-rule-regex-dosElectronjs Electron Allow Httpgitlab-sast-rules-lgpl-javascript-electronjs-rule-electron-allow-httpElectronjs Electron Blink Integrationgitlab-sast-rules-lgpl-javascript-electronjs-rule-electron-blink-integrationElectronjs Electron Context Isolationgitlab-sast-rules-lgpl-javascript-electronjs-rule-electron-context-isolationElectronjs Electron Disable Websecuritygitlab-sast-rules-lgpl-javascript-electronjs-rule-electron-disable-websecurityElectronjs Electron Experimental Featuresgitlab-sast-rules-lgpl-javascript-electronjs-rule-electron-experimental-featuresElectronjs Electron Nodejs Integrationgitlab-sast-rules-lgpl-javascript-electronjs-rule-electron-nodejs-integrationEval Eval Nodejsgitlab-sast-rules-lgpl-javascript-eval-rule-eval-nodejsEval Eval Requiregitlab-sast-rules-lgpl-javascript-eval-rule-eval-requireEval Grpc Insecure Connectiongitlab-sast-rules-lgpl-javascript-eval-rule-grpc-insecure-connectionEval Node Deserializegitlab-sast-rules-lgpl-javascript-eval-rule-node-deserializeEval Sandbox Code Injectiongitlab-sast-rules-lgpl-javascript-eval-rule-sandbox-code-injectionEval Serializetojs Deserializegitlab-sast-rules-lgpl-javascript-eval-rule-serializetojs-deserializeEval Server Side Template Injectiongitlab-sast-rules-lgpl-javascript-eval-rule-server-side-template-injectionEval Vm Code Injectiongitlab-sast-rules-lgpl-javascript-eval-rule-vm-code-injectionEval Vm Compilefunction Injectiongitlab-sast-rules-lgpl-javascript-eval-rule-vm-compilefunction-injectionEval Vm Runincontext Injectiongitlab-sast-rules-lgpl-javascript-eval-rule-vm-runincontext-injectionEval Vm Runinnewcontext Injectiongitlab-sast-rules-lgpl-javascript-eval-rule-vm-runinnewcontext-injectionEval Vm2 Code Injectiongitlab-sast-rules-lgpl-javascript-eval-rule-vm2-code-injectionEval Vm2 Context Injectiongitlab-sast-rules-lgpl-javascript-eval-rule-vm2-context-injectionEval Yaml Deserializegitlab-sast-rules-lgpl-javascript-eval-rule-yaml-deserializeExec Shelljs Os Command Execgitlab-sast-rules-lgpl-javascript-exec-rule-shelljs-os-command-execHeaders Cookie Session Defaultgitlab-sast-rules-lgpl-javascript-headers-rule-cookie-session-defaultHeaders Cookie Session No Domaingitlab-sast-rules-lgpl-javascript-headers-rule-cookie-session-no-domainHeaders Cookie Session No Httponlygitlab-sast-rules-lgpl-javascript-headers-rule-cookie-session-no-httponlyHeaders Cookie Session No Maxagegitlab-sast-rules-lgpl-javascript-headers-rule-cookie-session-no-maxageHeaders Cookie Session No Pathgitlab-sast-rules-lgpl-javascript-headers-rule-cookie-session-no-pathHeaders Cookie Session No Samesitegitlab-sast-rules-lgpl-javascript-headers-rule-cookie-session-no-samesiteHeaders Cookie Session No Securegitlab-sast-rules-lgpl-javascript-headers-rule-cookie-session-no-secureHeaders Express Corsgitlab-sast-rules-lgpl-javascript-headers-rule-express-corsHeaders Generic Corsgitlab-sast-rules-lgpl-javascript-headers-rule-generic-corsHeaders Generic Header Injectiongitlab-sast-rules-lgpl-javascript-headers-rule-generic-header-injectionHeaders Header Xss Genericgitlab-sast-rules-lgpl-javascript-headers-rule-header-xss-genericHeaders Header Xss Luscagitlab-sast-rules-lgpl-javascript-headers-rule-header-xss-luscaHeaders Helmet Feature Disabledgitlab-sast-rules-lgpl-javascript-headers-rule-helmet-feature-disabledHeaders Host Header Injectiongitlab-sast-rules-lgpl-javascript-headers-rule-host-header-injectionJwt Hardcoded Jwt Secretgitlab-sast-rules-lgpl-javascript-jwt-rule-hardcoded-jwt-secretJwt Jwt Exposed Credentialsgitlab-sast-rules-lgpl-javascript-jwt-rule-jwt-exposed-credentialsJwt Jwt Exposed Datagitlab-sast-rules-lgpl-javascript-jwt-rule-jwt-exposed-dataJwt Jwt Express Hardcodedgitlab-sast-rules-lgpl-javascript-jwt-rule-jwt-express-hardcodedJwt Jwt Not Revokedgitlab-sast-rules-lgpl-javascript-jwt-rule-jwt-not-revokedJwt Node Jwt None Algorithmgitlab-sast-rules-lgpl-javascript-jwt-rule-node-jwt-none-algorithmRedirect Express Open Redirectgitlab-sast-rules-lgpl-javascript-redirect-rule-express-open-redirectRedirect Express Open Redirect2gitlab-sast-rules-lgpl-javascript-redirect-rule-express-open-redirect2Ssrf Node Ssrfgitlab-sast-rules-lgpl-javascript-ssrf-rule-node-ssrfSsrf Phantom Ssrfgitlab-sast-rules-lgpl-javascript-ssrf-rule-phantom-ssrfSsrf Playwright Ssrfgitlab-sast-rules-lgpl-javascript-ssrf-rule-playwright-ssrfSsrf Puppeteer Ssrfgitlab-sast-rules-lgpl-javascript-ssrf-rule-puppeteer-ssrfSsrf Wkhtmltoimage Ssrfgitlab-sast-rules-lgpl-javascript-ssrf-rule-wkhtmltoimage-ssrfSsrf Wkhtmltopdf Ssrfgitlab-sast-rules-lgpl-javascript-ssrf-rule-wkhtmltopdf-ssrfTraversal Admzip Path Overwritegitlab-sast-rules-lgpl-javascript-traversal-rule-admzip-path-overwriteTraversal Express Lfr Warninggitlab-sast-rules-lgpl-javascript-traversal-rule-express-lfr-warningTraversal Express Lfrgitlab-sast-rules-lgpl-javascript-traversal-rule-express-lfrTraversal Generic Path Traversalgitlab-sast-rules-lgpl-javascript-traversal-rule-generic-path-traversalTraversal Join Resolve Path Traversalgitlab-sast-rules-lgpl-javascript-traversal-rule-join-resolve-path-traversalTraversal Tar Path Overwritegitlab-sast-rules-lgpl-javascript-traversal-rule-tar-path-overwriteTraversal Zip Path Overwritegitlab-sast-rules-lgpl-javascript-traversal-rule-zip-path-overwriteXml Node Entity Expansiongitlab-sast-rules-lgpl-javascript-xml-rule-node-entity-expansionXml Node Xpath Injectiongitlab-sast-rules-lgpl-javascript-xml-rule-node-xpath-injectionXml Node Xxegitlab-sast-rules-lgpl-javascript-xml-rule-node-xxeXml Xxe Expatgitlab-sast-rules-lgpl-javascript-xml-rule-xxe-expatXss Express Xssgitlab-sast-rules-lgpl-javascript-xss-rule-express-xssXss Handlebars Noescapegitlab-sast-rules-lgpl-javascript-xss-rule-handlebars-noescapeXss Handlebars Safestringgitlab-sast-rules-lgpl-javascript-xss-rule-handlebars-safestringXss Squirrelly Autoescapegitlab-sast-rules-lgpl-javascript-xss-rule-squirrelly-autoescapeXss Xss Disable Mustache Escapegitlab-sast-rules-lgpl-javascript-xss-rule-xss-disable-mustache-escapeXss Xss Serialize Javascriptgitlab-sast-rules-lgpl-javascript-xss-rule-xss-serialize-javascript